NMI Holdings, Inc. - (NMIH)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
We integrate technology into many aspects of our business. We use technology to engage with our customers and employees, and to deliver our products and services. The business information and data managed and stored in our technology systems is used in many of our daily functions, including accounting processes, financial forecasting, pricing, underwriting, sales, compliance, and communications, among others. We are mindful of the risk in the operation of our business presented by cybersecurity threats and remain aware of the potential risk to our IT systems and data.
In anticipation and in response to such risks, we have a comprehensive information security/cybersecurity program, including controls and procedures designed to safeguard and maintain the integrity of our IT systems, and prevent and detect unauthorized access to our IT systems by threats or bad actors, both internally and externally. Due to the ever-changing nature of cyber threats, we seek to proactively mitigate risks through prevention and preparation. We take a risk-based approach and identify new and continuing threats to our information systems that could potentially compromise their secure and efficient operation. Our cybersecurity program is fully integrated into our overall risk management framework and is regularly evaluated by internal and external experts.
Our information security program is managed by a dedicated Chief Information Security Officer (CISO), who has over 25 years of relevant experience. Our CISO is charged with the maintenance and execution of our security program and reports to our Chief Information Officer, who leads the management of our information systems. The CISO manages a team that assesses, evaluates, and responds to cybersecurity threats. Our CISO, and other senior leaders in our IT, law, and internal audit departments, provide periodic reports to our Chief Executive Officer and other members of our senior management team and the Board, as appropriate, on cybersecurity risks and program updates.
Our Board oversees cybersecurity risks through the Board’s audit and risk committees. The Board's Audit Committee has primary oversight of cybersecurity risk. In performing its oversight function, the Audit Committee considers information from the senior leaders in various departments (including the IT, internal audit and law departments) who provide periodic reports on cybersecurity, including updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
Our cybersecurity program is aligned with industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and we periodically engage third parties as part of our continuing efforts to evaluate, enhance and test the adequacy and effectiveness of our security measures and controls. We require our third-party service providers to implement and maintain comprehensive cybersecurity practices commensurate with the services they perform for us, and consistent with applicable legal standards and practices. In addition, we maintain and test a business continuity plan that is designed to allow us to continue to operate in the midst of certain disruptive events, including disruptions to our IT systems, and we have an incident response plan that is designed to address information security incidents, including any breaches of our IT systems.
We believe all of these functions serve the process of prevention, detection, mitigation, and remediation of cybersecurity incidents. While we have not experienced any material cybersecurity events, we believe that disruptions to and breaches of our IT systems are possible and may negatively impact our business in the future. Despite robust controls and safeguards in place, no system can guarantee complete security from internal and external threats. See Item 1A, "Risk Factors - We may not be able to prevent the unauthorized disclosure or misuse of confidential, personal or proprietary information."